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Copy protection via multiple tests 



This application claims the benefit of U.S. Provisional Application No. 
60/271,400, filed 26 February 2001, Attorney Docket US0I0044P. 

BACKGROUND OF THE INVENTION 
1. Field of the Invention 

This invention relates to the field of data protection, and in particular to 
protecting data from illicit copying from a remote location. 



20 



2. Description of Related Art 

The protection of data is becoming an increasingly important area of security. 
In many situations, the authority to copy or otherwise process information is verified by 
evaluating the encoding of copy-protected material for particular characteristics. For 
example, copy-protected material may contain watermarks or other encodings that identify 
the material as being copy-protected, and also contains other encodings that identify whether 
this particular copy of the material is an authorized copy, and whether it can be copied again. 
For example, an authorized copy of content material may contain a robust watermark and a 
fragile watermark. The robust watermark is intended to be irremovable from the encoding of 
the content material. Attempting to remove the watermark causes damage to the content 
material. The fragile watermark is intended to be damaged when the content material is 
iUicitly copied. For example, common fragile watermarks are damaged if the content material 
is compressed or otherwise altered. In this manner, content material that is compressed in 
order to be efficiently communicated via the Internet will be received with a robust 
watermark and a damaged fragile watermark. A content-processing device that is configured 
to enforce copy protection rights in this example will be configured to detect the presence of 
a robust watermark, and prevent the processing of the content material containing this robust 
watermark unless the fragile watermark is also present 

The design of a watermarking encoding process and corresponding watermark 
detection involves a tradeoff among conflicting requirements. An ideal watermark should be 
undetectable during a conventional rendering of the content material, yet easily detectable by 
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the watermark detector. As iho walrrmirk*s detectabiUty by the watermark detector increases, 
so too does its detectability during a conventional rendering; similarly, as the watermark's 
und dec lability during a convention rendering decreases, so too does its undetectability by the 
watermark detector. Conventional watermarking processes are biased to assure that the 
5 watermarking process does not affect the quality of the rendering of the content material, 
often si the cost of reduced detectabiUty by a watermark detector. That is, the likelihood of a 
watermark detector producing an erroneous decoding of a watermark is not insubstantial. 
Given that watermark detection is not absolutely reliable, a need exists for a fault-tolerant 
watermark-based security process. 

10 

BRIEF SUMMARY OF THE INVENTION 

[t is an object of this invention to provide a robust and reliable copy protection 
scheme in the presence of a potentially unreliable watermark detection process. It is a further 
object of this invention to provide a copy protection scheme that is fault tolerant 

1 5 These objects and other are achieved by a multi-layered copy protection 

scheme. At an initial security level, the fault-tolerance is low. If the security test fails at this 
initial security level, the process enters a next level of security, wherein the fault-tolerance is 
increased, but at the expense of additional processing time. If the security test again fails at 
this increased security level, the process enters a higher level of security, wherein the fault- 

20 tolerance is further increased, but at the further expense of additional processing time. 

Eventually, either the security test is passed, and the material is rendered, or a determination 
is made that the failures axe not due to faults in the watermark detection process, indicating 
that the content material is, in fact, copy protected, but not authorized for rendering. 

25 BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is explained in further detail, and by way of example, with 
reference to the accompanying drawings wherein: 

FIG. 1 illustrates an example block diagram of a security system in accordance 
with this invention. 

yo FIG. 2 illustrates an example flow diagram of a security system in accordance 

with this invention. 

Throughout the drawings, the same reference numerals indicate similar or 
corresponding features or functions. 
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DETAILED DESCRIPTION OF THE INVENTION 

A variety of security schemes that are based on the decoding of one or more 
parameters from a watermark are known in the art, and further watermark-based security 
schemes can be expected to be developed in the future. Generally, however, these schemes 
5 assume that the watermark detection process is reliable, such that, when the watermark 

detection process reports a result, the security process effects a control based on the reported 
resutt 

Because common watermark detection processes are not 100% reliable, a fault 
in the detection process may be interpreted by the security process as an erroneous 

10 watermark, and the rendering of the content material may be inappropriately terminated. That 
is, the content material may be authorized for rendering, and contain a proper watermark, but 
the fault in the detection process may indicate an improper watermark, or no watermark. 
Similarly, but less likely, the content material may be unauthorized, and the fault in the 
detection process may inappropriately indicate an authorization, or may fail to identify the 

1 5 material as being copy protected. 

In accordance with this invention, a multi-level security process is preferably 
employed to distinguish between faults in the detection process, and truly faulty watermarks. 

FIG. 1 illustrates an example block diagram of a security system 100 in 
20 accordance with this invention. The system 100 includes a watermark tester 1 10, and an 

authorization system 120 that determines whether the input content material is authorized to 
be rendered, based on information provided by the watermark tester 1 10. For the purposes of 
this disclosure, the term "render" includes any subsequent transmission or processing of the 
input content material, including recording, broadcasting, playing back, converting, and so 
25 on. The authorization tester controls a gate 1 30 that determines whether the content material 
is presented to a rendering system 140, as indicated by the dashed line between the gate 130 
and the rendering system 140. 

In accordance with this invention, the authorization tester 120 is configured to 
accept test criteria 150 for determining whether the information provided by the watermark 
3 0 tester 1 1 0 warrants the connection or disconnection of the content material to the rendering 
system 140. In a conventional security system, the information from a watermark tester 1 10 
is assumed to be reliable and accurate. This invention, on the other hand, is premised on the 
realization that watermark testers are inherently unreliable and/or inaccurate, due to the 
purposeful characteristic of the watermark that it not interfere with the rendering process. The 
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test criteria 1 50 are specifically formulated to distinguish between a somewhat unreliable 
watermark tester 1 10 and an illicit copy of the content material. 

Table 1 illustrates a set of example test criteria I SO. Initially, at test level I, a 
maximum < test limit* of three watermark tests are conducted. Ideally, these three tests will 
S each report a 'success' if the content material that is being tested has the appropriate 

watermark, and will each report a failure" if the content material that is being tested has a 
faulty or inappropriate watermark. Recognizing that the watermark testing process may itself 
be faulty, the test criteria "fail limit" of table 1 indicates that one failure is acceptable. That is, 
if the three watermark tests at level 1 indicate two successes and one failure, the authorization 
1 0 tester 1 20 will declare the content material to be authorized. 



Test Level 


Test Limit 


Fail Limit 


1 


3 


1 


2 


6 


2 


3 


9 


3 



Table 1. 



If, on the other band, the test at level 1 indicates more than ono failure, the 

15 authorization tester 1 SO enters the next test level, and applies the test limits and failure limits 
indicated in table 1 for test level 2. At level 2, a maximum of six watermarking tests are 
conducted. If two or fewer failures occur during these six watermarking tests, the 
authorization tester 150 will determine that the content material is authorized. If more than 
two failures occur, the authorization tester 150 enters the next test level, requiring no more 

20 than three failures in nine tests. Additional, or fewer, test levels may be included in the test 
criteria 150. The test procedure continues until the material is determined to be authorized, or 
until completion of the Inst test, whichever occurs first If the last test is completed without a 
determination that the material is authorized, the material is rejected as being unauthorized. 

The particular interpretation of the test criteria may vary, depending upon 

25 whether prior tests are intended to affect the determinations at future test levels. That is, for 
example, the test and failure limits of table I may be cumulative limits, or, the test and failure 
limits of table 1 may be independent for each test level. 

In the cumulative example, when a second failure occurs at level I, the system 
enters level 2 with a "history" of the tests of level 1. Thus, because two failures have already 

30 occurred, the content material must pass the watermark tests for each subsequent test, until a 
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total of six tests have been conducted (two or three at level 1 that produced the two failures, 
then four ox three tests at level 2 with do failures). If, during the testing at level 2, a third 
failure occurs, the system enters level 3, and the content material must pass each of the 
remaining tests until a total of nine tests have been conducted. 
S In the independent example, when a .second failure occurs at level 1 , the 

system enters level 2. and restarts the testing process, allowing up to two additional failures 
within six additional tests. 

The choice of test criteria, as well as the choice of a cumulative testing process 
through each level. Of an independent testing process at each level, will be made dependent 

10 upon an estimato of the likelihood that the watermark tester 1 10 will report an erroneous 
result. If the watermark tester 1 10 rarely reports an erroneous result, the failure limit can be 
set to a very low value. Conversely, if the watermark tester 1 10 frequently reports erroneous 
results, a higher failure limit would be warranted. A cumulative test process will generally 
result in fewer tests being required, because the results of prior tests are not discarded. 

15 When all of the test levels have been applied and the content material 

continues to fail each test, the authorization tester ISO will d e t e rmine that the content 
material is not authorized, and wilt control the gate 130 to prevent the communication of the 
content material to the rendering system 140. 

20 The use of this invention is hereinafter presented in the context of copending 

U.S. patent application "Protecting Content from Illicit Reproduction by Proof of Existence 
of a Complete Data Set via Self-Referencing Sections", U.S. serial number 09/536,944, filed 
28 March 2000 for Antonius A. M. Staring, Michael A. Epstein, and Martin Rosner. Attorney 
Docket US000040, incorporated by reference herein. In this copending application, each 

25 section of a data set is uniquely identified and this section identifier is encoded as a 

watermark that is embedded in each section, preferably as a combination of robust and fragile 
watermarks. When an item of the data set is presented for rendering, the security system 
requests random sections of the data set, and verifies that the appropriate watermark is 
present in each of the randomly selected sections. If a sufficient number of randomly selected 

30 sections are verified, the entire data set is determined to be present If the entire data set is not 
present, the likelihood of randomly selecting an absent section is proportional to the amount 
of material that Is missing from the entire data set. This security scheme is intended to 
discourage the illicit distribution of select segments of a larger data set. 
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In the context of digital audio recordings, for example, o compliant playback 
or recording device is configured to refuse to render an individual song in the absence of 
verification that the entire contents of the CD is present, via the random watermark testing. 
The time required to download an entire album on a CD in uncompressed digital form, even 
5 at DSL and cable modem speeds, can be expected to be greater than an hour, depending upon 
network loading and other factors. Thus, by requiring that the entire contents of the CD be 
present, at a download "cost* of over an hour, the likelihood of a theft of a song via a wide- 
scale distribution on the Internet is substantially reduced. 

In accordance with (his invention, the test criteria 1 SO of FIO. 1 will be 

10 determined based upon the degree of security required, and based upon the reliability of the 
watermark testing process 1 1 0. The test limit of table 1 is generally set to assure that 8 
sufficiently large sample of the data set is verified, to assure that the entirety of the data set is 
present, and (he fail limit is set to assure that the test does not result in the rejection of 
authorized content material due to occasional errors in the watermark testing process 1 1 0. 

1 5 The partitioning of the test into multiple levels provides for efficient testing, when it becomes 
very obvious, based on a low failure rate, thai the data set must be present That is, the lower 
level tests are preferably structured with a low failure, so that, if the watermarking test is 
reliable, (he test at (he lower level ends with an authorization to render the material, if the 
material is authorized. Tune is spent performing the subsequent level tests only if the entirety 

20 of the data set is not present, or when a premature rejection of content material is to be 
avoided. 

FIG. 2 illustrates an example flow diagram for a multi-level authorization 
process in accordance with this invention. At 210, the iniual pass/fail test criteria are set, 
corresponding for example to the first level (est of (able 1. At 220, a watermark test is 
25 conducted, and a pass/fait result is produced. 

tf the number of failures thus far is below the 'fail liroif, at 230, the number of 
tests conducted thus far is assessed. If, at 240, the number of tests thus far is below the test 
limif, the process loops back to conduct the next watermark test, at 220. Otherwise, if the 
number of tests conducted thus far equals the test limit, the process terminates with an 
30 "authorized" result, at 250. 

If the number of failures thus far has reached the 'fail limit', at 230. a 
deterrnination is made, at 260, as to whether there are additional test levels available. If not, if 
the terminal tests have been conducted, then the process terminates with a "non-authorized" 
result, at 270. If, at 260, additional test levels are available, then the next set of test criteria 
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replaces the prior set of test criteria, at 280, and the process loops back to conduct the next 
watermark test, at 220. As discussed above, when the next level criteria Is loaded, at 280. the 
prior accumulation of tests and failures is either discarded, for independent test levels, or not 
discorded, for accumulated test levels. 

5 

The foregoing merely illustrates the principles of the invention. It will thus be 
appreciated that those skilled io the art will be able to devise various arrangements which, 
although not explicitly described or shown herein, embody the principles of the invention and 
are thus within its spirit and scope. For example, the test criteria 150 of FIO. 1 are presented 

1 0 above as a relatively static set of criteria. Adaptive testing may also be conducted, wherein 
the test criteria at each level is determined based on past performance, or based on external 
parameters, such as a 'noiso figure' or 'quality figure' that may be provided by the watermark 
tester 1 10, or other device. The past performance could include a history of errors assoc i a t ed 
with the watermark tester 1 10 (e.g. an average number of reported failures for material that 

I 5 was eventually determined to be authorized), wherein the failure limit Is dynamically set 
based on the prior error rate. Additionally, the past performance could include a history of 
attempted renderings of unauthorized material, wherein the test limit is dynamically set based 
on the rate of prior authorizations or un-authorizations. These and other system configuration 
and optimization features will be evident to one of ordinary skill in the art in view of this 

20 disclosure, and are included within the scope of the following claims. 
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CLAIMS: 



! . A security system (100) for protecting content material, comprising: 

a watermark tester (110) that is configured to detect one or more parameters 

associated with a watermark that La associated with the content material, and 

an authorization tester (1 20), operably coupled to the watermark tester (U OX 
5 that is configured to determine an authorization corresponding to the content material, based 

on the one or more parameters detected by the watermark tester (1 10), and one or more test 

criteria (150), wherein 

the one or more test criteria (150) are based on a likelihood of error associated 

with the watermark tester (t 10) in determining the one or more parameters associated with 
10 the watermark. 

2. The security system ( 1 00) of claim 1 , wherein 

the one or more test criteria { 1 50) includes a set of criteria for each of a 
plurality of test levels, and 
15 the authorization tester (120) is configured to select a next set of criteria of the 

plurality of test levels when the authorization tester (120) fails to determine an authorization 
based on a prior set of criteria of Ihe plurality of test levels. 

3. The security system (100) of claim 2, wherein 
20 each set of criteria includes: 

a test limit that corresponds to a minimum number of tests that are to 
be conducted by the watermark tester (1 10) to determine the authorization, and 

a fail limit that corresponds to a maximum number of failures to 
determine the authorization. 

25 

4. The security system ( 1 00) of claim 3, wherein 

the authorization tester ( 1 20) applies the next set of criteria based on results of 
the watermark tester (1 10) while applying the prior set of criteria. 



(19) 



JP 2004-523799 A 2004. 8. 5 



wo 02/06*D7i pcivrooroo459 

9 

5. Tbe security system (1 CO) of claim 3, wherein 

the authorization tester (120) applies the next set of criteria independent of 
results of the watermark tester (1 10) while applying the prior set of criteria. 

5 6. The security system ( 1 00) of claim I , wherein 

the one or more test criteria (1 SO) includes: 

a test limit that corresponds to a minimum number of tests that are to 
be conducted by the watermark tester (110) to determine the authorization, and 

a fail limit that corresponds to a maximum number of failures to 
10 determine the authorization. 

7. The security system (100) of claim 1 , wherein 
the one or more test criteria (150) includes 

a test limit that corresponds to a maximum number of tests that are to 
I 5 be conducted by the watermark tester (U 0) to reject the content material. 

8. The security system (100) of claim 1, wherein 

the authorization tester (120) is configured to determine whether an entirety of 
a data set is present, based on watermarks associated with segments of the data set. 

20 

9. The security system ( 1 00) of claim 8, wherein 

the authorization tester (1 20) is configured to select a random segment of the 
data set for testing by the watermark tester ( 1 10). 



25 10. A method for protecting content material, comprising: 

detecting (220) one or more parameters associated with a watermark that is 
associated with the content material, and 

determining (230-280) an authorization corresponding to the content material, 
based on the one or more parameters and one or more test criteria (1 50), wherein 
30 the one or more test criteria (1 50) are based on a likelihood of error associated 

with the detecting of the one or more parameters associated with the watermark. 



1 1 . The method of claim 1 0, wherein 
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the one or mora test criteria (1 50) includes a set of criteria for each of a 
plurality of test levels, and 

determining (230-280) the authorization includes: 

selecting (280) a next set of criteria of the plurality of test levels upon failing 
5 (230) to determine an authorization based on a prior set of criteria of the plurality of test 
levels. 

12. The method of claim 11, wherein 

each set of criteria includes: 
10 a test limit lhat corresponds to a minimum number of lests that are to 

be conducted to determine the authorization (240), and 

a fail limit that corresponds to a maximum number of failures to 
determine the authorization (230). 



IS 13. The method of claim 11, v 

determining the authorization based on the next set of criteria includes results 
while applying the prior set of criteria. 

14. The method of claim 1 1 , wherein 

20 determining the authorization based on the next set of criteria is independent 

of results while applying the prior set of criteria. 

15. The method of claim 10, wherein 

the one or more test criteria (150) includes: 
25 a test limit lhat corresponds to a minimum number of tests that are to 

be conducted to determine the authorization (240), and 

a fail limit that corresponds to a maximum number of failures to 
determine the authorization (230). 

30 16. The method of claim 10, wherein 

the one or more test criteria (150) includes 

a lest limit that corresponds to a maximum number of tests that are to 
be conducted to reject the content material (260). 
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17. The method of claim 10, wherein 

determining the authorization corresponds to determining whether an entirety 
of a data set is present, based on watermarks associated with segments of the data set 

5 18. The method of claim 17, further including 

selecting a random segment of the data set 
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